Picture this – you’re planning a road trip and map out your route. You identify places you want to visit, eat, and stay along the way.
When it comes time to actually hit the road though, you put on a blindfold and start driving in the direction you think you should be going.
Now I doubt anyone reading this would ever attempt something this foolhardy – however, flying blind is something too many organizations do when it comes to risk activities.
An enterprise risk management program that truly serves the organization is about much more than creating a list of risks.
While the identification stage of the ERM process is crucial for understanding risks and opportunities, the assessment process is how this list is transformed into a tool for protecting and building value.
Although I say enterprise risk assessment, terms like risk analysis or risk evaluation are also commonly used. Some organizations in fact combine this process with risk identification to create a seamless transition between the two phases of the ERM process.
Before diving into why risk assessment is so important, I want to provide my way of defining this invaluable step…
I believe this is the most straightforward way to define enterprise risk assessment. Frameworks like ISO 31000, COSO, and others define it as well, but their explanation can be confusing and not workable for many organizations in my experience. Norman Marks appears to agree according to his book World-Class Risk Management.
Why is enterprise risk assessment important?
Now that we understand what risk assessment is and that it occurs after the identification phase in the ERM process, I want to take some time to discuss why it’s important.
In short, enterprise risk assessment helps management understand which risks are important and how they connect with the strategic plan, organizational mission, or specific operation.
Without a solid process for analyzing risk information, your organization can suffer many consequences, some of which can be devastating.
Let’s take our scenario from the beginning as an example. If you were to actually blindfold yourself and start driving, the best case scenario is that you end up going in a different direction than needed. Worst case is that you are in a fatal accident.
Not taking the time to carefully analyze and prioritize your organization’s risks is much the same…
At best, you will end up wasting scarce resources on risks that are not that significant in the long run. This, of course, leaves the more significant risks and weaknesses unaddressed, exacerbates existing problems, and even creates new ones, which could lead to even more severe consequences.
In short, you end up increasing your risks explains IT-security consultant Chris Cronin, who also says that a poorly managed or non-existent risk assessment process can have legal ramifications. For instance, if a jury finds out that an organization knew about a risk but did nothing to address it, the financial and reputational fallout could be devastating.
How is information for a risk assessment gathered?
Like risk identification, there are several methods organizations use to gather information for an assessment. And like risk identification, the method will depend on a variety of factors such as the audience (C-suite vs. middle management vs. front-line staff), company culture, and the level of detail the assessment will cover.
Broadly speaking, the top-executives and their direct reports are the primary people involved in a risk assessment. Some organizations may involve lower management levels in their assessments depending on the particular risk(s), subject matter, and the maturity of the process.
Also, some organizations will just collect assessment information in the identification phase.
Common methods for gathering information on the importance and impact of risks include a combination of the following:
- Surveys – Especially useful for gathering information from a larger group, especially at the lower levels of the organization. Typically combined with interviews or workshops to refine the results.
- Interviews – One-on-one interviews are usually reserved for top executives to discuss the bigger picture risks to strategy, etc. Interviews are also the preferred way to discuss sensitive topics.
- Workshops/Meetings – These meetings typically occur with small-to-medium groups from the board, senior executives, and even the director level. It’s this type of meeting where priorities for which risks to focus on start coming into view.
Gathering information for a risk assessment can seem tedious and even intimidating to many involved, which is why detailed and transparent dialogues are so important. Using a survey alone will not provide the information needed for an adequate risk assessment, which of course opens up new risks.
According to management consultant Carolyn Goga in an article in Risk Management Magazine, uncovering the real issues affecting the organization will come from discussion and debate. As she explains, “the information gained will inform the company of its true state, uncover opportunities and help drive it in the right direction.”
What is enterprise risk assessment measuring?
In my definition of enterprise risk assessment, I explain that the ultimate goal of evaluating a risk is to understand the influence it will have on the organization. Influence is just an umbrella term to describe the various dimensions that a risk assessment measures.
A traditional risk management assessment will only consider the overall impact a particular risk will have, and in some cases, probability of occurrence.
However, one big difference between traditional and enterprise risk management is the multiple dimensions that are considered when evaluating risks. These can include:
- Velocity (how soon will the risk affect the organization)
- Preparedness (how prepared is the organization to respond to the risk)
- Reputational impact
- Persistence (how long will the effects last)
- Interdependency of risks
Almost every organization doing risk assessments will examine the probability of occurrence and impact. Second to that, velocity and preparedness for particular risks are commonly considered.
The dimensions are very organization and situation specific. If risks are not very complex, impact and probability of occurrence should suffice. However, an organization that needs or wants to understand a particular risk more in-depth may consider additional dimensions during their assessment.
It’s important to note that assessing risks at too high of a level will make it difficult to identify issues and solutions, while getting too specific can lead to big issues being drowned out by small details.
It’s also critical to mention that enterprise risk assessments are not just looking at negative impacts, but positive ones as well. By not considering the impact, probability, velocity, and preparedness, a firm can miss out on opportunities arising from a particular event.
For an example, check out one of my first posts discussing risk management decisions in the aftermath of a hurricane. Retailers who considered opportunities following an event like this realized tremendous benefits to not just their bottom line, but their reputations as well.
Risk scoring/ranking/analysis – transforming assessment information into something actionable
Up until now, the enterprise risk assessment process has been more research. But at some point, you have to translate all of this information into something usable for decision-making.
At the end of the day, that is the heart of what enterprise risk management does.
I could write a book on this topic, but I’m going to save that for another time…
After agonizing over where to start, I think the best way to begin talking about this complex subject is to break it down between qualitative and quantitative.
Qualitative risk analysis
This analysis will use descriptive elements to rank a particular risk. For some risks like reputation, legal, or talent, it can be the only option since it’s really difficult to assign a dollar or some other numerical value to these.
Also, for the sake of simplicity when establishing your enterprise risk assessment process, qualitative analysis is a better option to choose unless your organization already has robust modeling and data analysis capabilities. If you jump head first into quantitative risk analysis, you risk (…no pun intended) overwhelming individuals who are key to making ERM a success for the long haul.
Qualitative risk analysis is commonly used in surveys. It asks the individual to assign a risk a score based on a numbered scale. The scale is usually 1-5, sometimes 1-3, or some other scale such as high, medium, or low. Risk management staff should provide details on probability ranges and other criteria. Below is an example of what the scale and criteria could look like.
- This process can be very subjective since one person will view a risk with more urgency than someone else.
- People with skin in the game, those who want resources to address a particular risk, may be inclined to score that risk higher than it really deserves.
ERM takes information from these surveys to develop risk scores. Multiplying impact by likelihood is by far the most basic, and common. (I do not recommend it for various reasons, but I will save that for the book mentioned earlier!). However, there are a wide variety of practices organizations can consider. Below are a few examples according to a survey from NC State…
Another scoring option organizations use is to plot risks on a risk map or heat map, which is simply “…a graphical representation of likelihood and impact of one or more risks” according to COSO.
Here’s an example heat map using a 1 to 5 scale:
Truly understanding the importance of a risk requires more than coming up with a number or plotting a point on a chart. Risk professionals can take this information and use it to prompt discussions in an interview or workshop. It is during this collaborative process where participants’ view of a risk can change in light of new information, which can therefore alter its final score and how it’s ultimately handled.
Quantitative risk analysis
Having a hard number for impact values rather than a descriptive term is another way organizations score risks. Examples can include a dollar impact in the form of losses, fines, cash flow, or additional revenue, the number of incidents (safety), and more.
Quantitative analyses are commonly used to rank financial, credit, or market risks, so they are quite prevalent in financial institutions.
Organizations with robust data analysis and capital modeling capabilities can use quantitative analysis for examining a variety of risks, which is much more sophisticated than a qualitative analysis. Quantitative analyses are also commonly based on historical data, which is one reason why it can be impractical for those early in their ERM journey.
Similar to results from a qualitative risk analysis, information from quantitative analysis can help guide further discussions. Unlike qualitative analysis, a quantitative analysis tends to be more objective in nature.
Another risk analysis method that merits our attention is forced ranking. It was developed by Bonnie Hancock, Executive Director of the ERM Initiative at NC State, after observing assessment processes in action across a variety of industries.
One issue she would encounter is how risk scores would consistently “bunch” together in the middle of the scale. As I explained before with qualitative analysis, participants rank risks on a scale based on their knowledge and opinion of it. One person may give a risk a low score of 1 while someone else may assign it a 5. The final result would often just be an average and not useful for decision making.
Therefore, to understand which risks are more important and to simplify the ranking process, the forced ranking method was developed. Participants are simply asked to rank a list of risks, usually 10, regardless of dimensions. The most significant risk is given a score of 10, the 2nd most a score of 9, and so on.
When all of the results are in, the scores for each risk are added up to arrive at a final score, which is of course used to guide further discussions.
As you can imagine, I have my own impressions of the various scoring methodologies that I can elaborate on, but since this article is focusing on a high-level overview of enterprise risk assessment, I want to save that commentary for a future post. For some thoughts on the limitations of heat maps, I suggest checking out this article from my colleague Ashley Jones.
What happens from here?
Once risk information is gathered, scored, and the results are debated, the process still isn’t finished. Organizations too often go through these steps just to cast the information aside when actual decisions are being made.
However, with this information in hand, decision makers at your organization should have a pretty good idea of which risks to focus on and for choosing the right risk response.
In order to choose the right treatment, the risk will need to be compared to the organization’s risk tolerance and appetite, which I discuss here.
A couple of important points before wrapping up…
As I explain in my definition of enterprise risk assessment, the process is continually evolving and executed on a regular basis. Circumstances and priorities will change how management should respond to risks, so it is important risk assessments be done at least annually and perhaps even semi-annually for more urgent, fluid, or high-impact risks. RTI International for instance only does a full risk assessment every 3 years, but examines emerging risks quarterly.
My personal preference includes timing the assessments to when controls or mitigation activities are put into place, since the effectiveness of those activities should change the assessment. And for those risks above the risk tolerance, look at velocity as a way to prioritize the risks, as those with a shorter window to respond mean the organization needs to get its act together.
Also, as you go along, you will learn what methods for gathering information and scoring risks work for your organization. While the initial setup of the process is an important part of developing an ERM framework, the flexibility to change based on actual experience is equally as important.
Do you have an enterprise risk assessment process setup for your organization? What were your challenges? Do you combine risk identification and assessment in your ERM process?
If you do NOT have a process yet, what do you foresee as the biggest obstacle to transforming risk information into something actionable?
Please don’t hesitate to leave a comment below or join the conversation on LinkedIn to share your perspective. I’m always interested in learning from others’ experience and the valuable insights these conversations can yield for us all.
And if you’re trying to develop your enterprise risk assessment process or need to refine it to provide leadership with better risk information for decision-making, I invite you to contact me to discuss how my suite of services can move you forward in your ERM journey.
For further reading:
- Survey of Risk Assessment Practices; Bonnie V. Hancock, Executive Director of the ERM Initiative at North Carolina State University.
- Enterprise Risk Management: Frameworks, Elements, and Integrations; Drs. William G. Shenkir and Paul L. Walker on behalf of the Institute of Management Accountants.